Hi,
I can trigger a NULL pointer reference with the em28xx-aad module.
Steps to reproduce:
1. Boot computer
2. modprobe -k em28xx-aad
3. Plug Pinnacle Hybrid Pro Stick (320e)
4. rmmod em28xx-aad
Current result: segmentation fault of rmmod and some error message in dmesg. I
attached a patch which adds BUG_ON to the critical point at em28xx-aad.c
[ 563.253374] Linux video capture interface: v2.00
[ 563.279996] em28xx v4l2 driver version 0.0.1 loaded
[ 563.286122] usbcore: registered new interface driver em28xx
[ 563.302980] initializing Empia Audio Driver
[ 563.303560] Copyright (C) 2008 Empia Technology Inc
[ 563.303938] Copyright (C) 2008 Sundtek Ltd.
[ 565.810070] usb 1-3: new high speed USB device using ehci_hcd and address 3
[ 565.939187] usb 1-3: configuration #1 chosen from 1 choice
[ 565.946422] em28xx: new video device (eb1a:2881): interface 0, class 255
[ 565.946952] em28xx: device is attached to a USB 2.0 bus
[ 565.947432] em28xx #0: Alternate settings: 8
[ 565.947796] em28xx #0: Alternate setting 0, max size= 0
[ 565.948198] em28xx #0: Alternate setting 1, max size= 0
[ 565.948566] em28xx #0: Alternate setting 2, max size= 1448
[ 565.948985] em28xx #0: Alternate setting 3, max size= 2048
[ 565.949393] em28xx #0: Alternate setting 4, max size= 2304
[ 565.949757] em28xx #0: Alternate setting 5, max size= 2580
[ 565.950158] em28xx #0: Alternate setting 6, max size= 2892
[ 565.950526] em28xx #0: Alternate setting 7, max size= 3072
[ 566.173552] em28xx #0 at em28xx_gpio_control: <3>register disabled:
command=0x6, gpio_value=0x0
[ 566.413989] em28xx #0 at em28xx_gpio_control: <3>register disabled:
command=0xF, gpio_value=0x0
[ 566.480763] attach_inform: tvp5150 detected.
[ 566.527532] tvp5150 1-005c: tvp5150am1 detected.
[ 568.113767] successfully attached tuner
[ 568.126851] em28xx #0: V4L2 VBI device registered as /dev/vbi0
[ 568.151751] em28xx #0: V4L2 device registered as /dev/video0
[ 568.154976] input: em2880/em2870 remote control as /class/input/input12
[ 568.164485] em28xx-input.c: remote control handler attached
[ 568.164808] em28xx #0: Found Pinnacle Hybrid Pro
[ 568.165674] audio device (eb1a:2881): interface 1, class 1
[ 568.166150] audio device (eb1a:2881): interface 2, class 1
[ 568.348777] em2880-dvb.c: DVB Init
[ 568.383000] em28xx #0 at em28xx_gpio_control: <3>register disabled:
command=0x6, gpio_value=0x0
[ 568.457339] usbcore: registered new interface driver snd-usb-audio
[ 568.923199] DVB: registering new adapter (em2880 DVB-T)
[ 568.923937] DVB: registering frontend 0 (Zarlink ZL10353 DVB-T)...
[ 568.934770] Em28xx: Initialized (Em2880 DVB Extension) extension
[ 579.291192] releasing Empia Audio Driver
[ 579.291803] ------------[ cut here ]------------
[ 579.291815] kernel BUG at /usr/src/mcentral.de/em28xx-new/em28xx-aad.c:373!
[ 579.291824] invalid opcode: 0000 [#1] PREEMPT
[ 579.291834] Modules linked in: snd_usb_audio em28xx_dvb snd_usb_lib
snd_hwdep drx3973d s921 mt2060 lgdt3304 zl10353 lgdt330x dvb_core qt1010
tuner_xc3028
tvp5150 em28xx_aad(-) em28xx videodev v4l1_compat ppdev lp cpufreq_ondemand
cpufreq_conservative ipv6 xt_tcpudp iptable_filter ip_tables x_tables
leds_clevo_mail led_class via via_agp drm agpgart eeprom snd_pcm_oss
snd_mixer_oss cpufreq_userspace cpufreq_powersave powernow_k8 fan usbhid
snd_via82xx
snd_mpu401_uart pcmcia snd_via82xx_modem snd_seq_midi firmware_class
snd_ac97_codec snd_seq_midi_event ac97_bus mousedev snd_rawmidi snd_pcm snd_seq
snd_timer
snd_seq_device snd 8139too mii i2c_viapro k8temp soundcore yenta_socket video
snd_page_alloc hwmon uhci_hcd bitrev crc32 rsrc_nonstatic i2c_core psmouse
8250_pnp ehci_hcd backlight pcspkr ide_cd_mod 8250 output serio_raw cdrom
usbcore pcmcia_core parport_pc serial_core parport battery ac thermal button
processor
evdev
[ 579.292021]
[ 579.292021] Pid: 7845, comm: rmmod Not tainted (2.6.27.5 #2)
[ 579.292021] EIP: 0060:[<f8c410a0>] EFLAGS: 00210246 CPU: 0
[ 579.292021] EIP is at em28xx_aad_fini+0x80/0x90 [em28xx_aad]
[ 579.292021] EAX: f69d6000 EBX: 00000000 ECX: 00000000 EDX: f8ec5d40
[ 579.292021] ESI: f69d6000 EDI: 00000000 EBP: f44a3f28 ESP: f44a3f20
[ 579.292021] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
[ 579.292021] Process rmmod (pid: 7845, ti=f44a2000 task=f6984020
task.ti=f44a2000)
[ 579.292021] Stack: f69d6030 f8c421e0 f44a3f40 f8eab2aa f44a3f40 c0329a16
00000000 f8c42280
[ 579.292021] f44a3f4c f8c41800 f8c4182c f44a3fb0 c014ca68 f8c4228c
38326d65 615f7878
[ 579.292021] f4006461 f44a3f9c c0175651 ffffffff b7f2d000 b7f2d000
00200246 00000001
[ 579.292021] Call Trace:
[ 579.292021] [<f8eab2aa>] ? em28xx_unregister_extension+0x3a/0x90 [em28xx]
[ 579.292021] [<c0329a16>] ? printk+0x18/0x1a
[ 579.292021] [<f8c41800>] ? em28xx_aad_exit+0x1c/0x21 [em28xx_aad]
[ 579.292021] [<c014ca68>] ? sys_delete_module+0x158/0x220
[ 579.292021] [<c0175651>] ? do_munmap+0x1e1/0x240
[ 579.292021] [<c0233838>] ? trace_hardirqs_on_thunk+0xc/0x10
[ 579.292021] [<c0103309>] ? sysenter_do_call+0x12/0x31
[ 579.292021] =======================
[ 579.292021] Code: 44 89 42 04 89 10 89 d8 c7 43 44 00 01 10 00 c7 43 48 00
02 20 00 e8 50 1a 54 c7 31 c0 c7 86 b8 0d 00 00 00 00 00 00 5b 5e 5d c3 <0f> 0b
eb
fe 8d b6 00 00 00 00 8d bf 00 00 00 00 55 89 e5 53 89
[ 579.292021] EIP: [<f8c410a0>] em28xx_aad_fini+0x80/0x90 [em28xx_aad] SS:ESP
0068:f44a3f20
[ 579.292450] ---[ end trace c2f7f7ccc6e31820 ]---
diff -r 3fe18e8981e5 em28xx-aad.c
--- a/em28xx-aad.c Mon Nov 17 15:35:18 2008 +0100
+++ b/em28xx-aad.c Thu Nov 20 00:25:08 2008 +0100
@@ -369,6 +369,8 @@
void em28xx_aad_unregister(struct em28xx_aad_info **aad_int)
{
struct em28xx_aad_info *aad = (*aad_int);
+
+ BUG_ON(!aad);
em28xx_aad_devices &= ~(1<<aad->__id);
#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 26)
class_device_destroy(aad->__aad_class, MKDEV(aad->__aad_major, 0));
_______________________________________________
Em28xx mailing list
[email protected]
http://mcentral.de/mailman/listinfo/em28xx
